Prevent non-superusers from modifying site settings

 






 

 


  Review Request #8330
  —
  Created Aug. 15, 2016 and submitted 

 


















 

  

   Information

  





 
 

  brennie
 









 
 

  Review Board
 









 
 

  release-2.5.x
 









 
 

  
 









 
 

  8329
 









 
 

  e999957...
 






 




 

  

   Reviewers

  





 
 

  reviewboard
 









 
 

  
 






 








 





  


 
 

  
Previously, any staff member (superuser or non-superuser) could change

any of the site settings. We now prevent all non-superuser staff members

from accessing site settings views so that they cannot. A new decorator

(similar to Django's staff_member_required) has been added to

accomplish this.

 








  


 
 

  
    

  • Manually verified that superusers can still change settings.
    • 

  • Manually verified that non-superusers are shown a permission denied
    
  page.
    • 

  • Manually verified that unauthenticated users are shown a login form.
    • 


 







 









 





  








 

  
  


   

    

     

     

     

    

   


   

  

 







 
 
 

  

   

    

     
    

    
    
     
  • 
      
     
    • 
     
  • 
      
     
    • 
     
  • 
      
     
    • 
     
  • 
      
     
    • 
     
  • 
      
     
    • 
    

   

   

    
     

      Description
      From
      Last Updated
     

    
    



     

      
       
       
This is no longer correct. It should probably also mention that users should use @login_required first.

      		
      
       daviddavid
      
      
       
      
     




     

      
       
       
I think it's a little confusing to redirect to the login page if a user is already logged in. Can …

      		
      
       daviddavid
      
      
       
      
     




     

      
       
       
It's only luck that's making flake8 not complain about this. Can we put all the arguments on the next line …

      		
      
       daviddavid
      
      
       
      
     


    
   

  

 







 






  

 








 














 





 

  

   




reviewbot




   

   





  

 



 

  


   

   

    
 
reviewbot


    
   


  

  

  



    




  1. 
 
    
  
    
   
    Tool: PEP8 Style Checker
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py



Tool: Pyflakes
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py


    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    2. 















  2. 
 
    
  
    
   
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    3. 




  

 
















 





 

  

   




david




   

   







  

 



 

  


   

   

    
 
david


    
   


  

  

  



    




  1. 
 
    
  
    
   
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    2. 

















  2. 
 
    
  
  
    
  
 
    
  
    
   
    
    
     
    
      
       reviewboard/admin/decorators.py
       


        (Diff revision 1)


       
      
     
    
        
    
     
     
    

     
     
    

        
   
    
  
    
 
    

   
    
    
    




    
 
    
  
  
  

  
  
   Show all issues
  
 
    

    



    
    I think it's a little confusing to redirect to the login page if a user is already logged in. Can we instead show a "permission denied" error?
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    3. 






  3. 
 
    
  
  
    
  
 
    
  
    
   
    
    
     
    
      
       reviewboard/admin/decorators.py
       


        (Diff revision 1)


       
      
     
    
        
    
     
     
    

     
     
    

     
     
    

        
   
    
  
    
 
    

   
    
    
    




    
 
    
  
  
  

  
  
   Show all issues
  
 
    

    



    
    It's only luck that's making flake8 not complain about this. Can we put all the arguments on the next line and indented 4 spaces from the return?
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    4. 




  4. 
 
    
  
    
   
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    5. 




  

 
















 



 

  

   




brennie




   

   

  

 



 















 





 

  

   




reviewbot




   

   





  

 



 

  


   

   

    
 
reviewbot


    
   


  

  

  



    




  1. 
 
    
  
    
   
    Tool: Pyflakes
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py

Ignored Files:
    reviewboard/templates/admin/permission_denied.html
    reviewboard/static/rb/css/pages/admin.less



Tool: PEP8 Style Checker
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py

Ignored Files:
    reviewboard/templates/admin/permission_denied.html
    reviewboard/static/rb/css/pages/admin.less


    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    2. 















  2. 
 
    
  
    
   
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    3. 




  

 
















 





 

  

   




david




   

   







  

 



 

  


   

   

    
 
david


    
   


  

  

  



    




  1. 
 
    
  
    
   
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    2. 

















  2. 
 
    
  
  
    
  
 
    
  
    
   
    
    
     
    
      
       reviewboard/admin/decorators.py
       


        (Diff revisions 1 - 2)


       
      
     
    
        
    
     
     
    

     
     
    

     
     
    

        
   
    
  
    
 
    

   
    
    
    




    
 
    
  
  
  

  
  
   Show all issues
  
 
    

    



    
    This is no longer correct.
    

    It should probably also mention that users should use @login_required first.
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    3. 




  3. 
 
    
  
    
   
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    4. 




  

 
















 



 

  

   




brennie




   

   

  

 



 















 





 

  

   




reviewbot




   

   





  

 



 

  


   

   

    
 
reviewbot


    
   


  

  

  



    




  1. 
 
    
  
    
   
    Tool: Pyflakes
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py

Ignored Files:
    reviewboard/templates/admin/permission_denied.html
    reviewboard/static/rb/css/pages/admin.less



Tool: PEP8 Style Checker
Processed Files:
    reviewboard/admin/views.py
    reviewboard/admin/decorators.py

Ignored Files:
    reviewboard/templates/admin/permission_denied.html
    reviewboard/static/rb/css/pages/admin.less


    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    2. 















  2. 
 
    
  
    
   
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    3. 




  

 
















 





 

  

   




david




   

   







  

 



 

  


   

   

    
 
david


    
   


  

  

  



    




  1. 
 
    
  
    
   
    "Testing done" has an extra "Testing done"
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    2. 















  2. 
 
    
  
    
   
    
  
    
 
    

 
    
  


    
 
    
 
      

  

 
    


    

 
    

    3. 




  

 
















 



 

  

   




brennie




   

   

  

 



 















 



 

  

   




brennie




   

   

  

 



 

  


   

   

    
 Review request changed

    
   


  

  

  







  

   

    Status:
   

   


    Completed

   

  




  

   

    Change Summary:
   

   

    
Pushed to release-3.0.x (5480b16)